InfoSecBulletin Cybersecurity for mankind
Qualcomm has unveiled its May 2026 Security Bulletin, revealing serious flaws with its software and hardware. The bulletin points out several Critical issues that could let unauthorized users access and damage memory on millions of devices using Qualcomm chipsets.
The company is sharing updates with Original Equipment Manufacturers (OEMs) and has advised them to install these updates on released devices as soon as they can.
OpenAI unveils its first custom chip, Named Jalapeño
Bajaj Auto System Hit by a Ransomware Attack
Cisco Unified CM flaw CVE-2026-20230 exploited in attacks
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
The biggest flaw fixed this month is CVE-2026-25254, which has a CVSS score of 9.8. Discovered in the Qualcomm Software Center, this “Critical” flaw relates to wrong permissions in the SocketIO interface.
Vulnerability Type: Improper Authorization (CWE-285).
Impact: This flaw leads directly to Remote Code Execution (RCE).
Access Vector: Remote.
Affected Versions: QSC v1.17.1, v1.19.1, and v1.21.0.
An attacker could use this interface to run harmful commands without being near the device.
Another critical flaw resides at the very foundation of device security: the Primary Bootloader. Tracked as CVE-2026-25262, this “Write-what-where” condition occurs while the system processes a crafted ELF (Executable and Linkable Format) file.
While this attack needs local access, it causes serious memory damage that threatens boot integrity. This problem impacts various old and special chipsets, like the MSM8909, MSM8916, and SDX50.
Qualcomm also fixed a serious problem in its PLC (Power Line Communication) Firmware, known as CVE-2026-25293. This issue has a CVSS score of 9.6 and is due to wrong authorization that causes a buffer overflow. Like the Software Center issue, this flaw can be accessed from afar and affects the QCA7005 chipset. The risk is greater because the exploit can bypass security and affect the whole system.
Qualcomm makes the technology for many smartphone and IoT makers, so users can’t fix these problems themselves. You have to wait for your device maker (OEM) to give a system update.
